Ministries beware: An email scheme, designed to coincide with tax season, asks payroll and human resource professionals to disclose employees’ personal information. Think you wouldn’t fall for such a scam? You might, if the email looks as if it came from someone in your ministry.
According to an Internal Revenue Service alert, the phishing emails often contain the actual name of someone in your organization, such as a board member or pastor. This “spoofing” technique makes the request appear legitimate. Scam emails may look like these examples:
—Kindly send me the 2016 W-2s and earning summaries for all of our staff for a quick review.
—Can you send me the updated employee list with full details—name, Social Security Number (SSN), date of birth, home address, and salary?
—I need a list of employees’ wage and tax statements for 2016. Email it to me ASAP. Similar scams involve a request to wire money. The methodology is the same: an email that appears to come from a board member or pastor requests that a wire transfer be made to an unfamiliar account. The email could say that it’s for an overseas charity that the pastor feels needs assistance.
IRS Criminal Investigation already is reviewing several cases in which organizations unwittingly shared SSNs with cybercriminals. These email schemes are designed to look like official IRS communications, and ask organizations to give out information about refunds, filing status, personal information, or to verify PIN information. Be aware that the IRS generally does not initiate contact with taxpayers by email, text message, or social media channels to request personal or financial information. You can read more about the new consumer alerts issued by the IRS here.
If something looks suspicious, look carefully at the sender’s email address. At first glance, it may appear authentic. You may see email@example.com, when you should see jdoe@‹yourministrydomain›.org. When in doubt, don’t click anything—verify that the person claiming to send the email actually sent it by checking in person or with a phone call. You can also set a policy for financial data requests to be made only in person. To protect sensitive data, avoid emailing employee information unless using a secure transfer method.